Screen OS

Hello,

I have a problem regarding a DIP on a SSG520M firewall (ScreenOS 6.0.0r7).

The firewall is configured with 2 interfaces:

- untrust (route mode,with a DIP defined on an external subnet with no port translation - 83.x.y.0/24)

- trust (route mode)

There's a policy applying the DIP from the Trust interface to the internet: and that's woking flawlessly.

My problem is, I have to allow some specific traffic from the internet to the trusted addresses: some users have to receive session on specific ports.

This ain't working at all: taking a look at traffic log from Internet to the Trusted networks, I noticed that the destination address (taken from the DIP pool) is not translated back into the corresponding Trust address...it remains the same!

I.e.:

a DIP element: 172.27.0.100 -> 83.X.Y.234

 
Source Address/  124.123.90.170:27085

Port Destination Address/ 83.x.y.234:512

PortTranslated Source Address/ 124.123.90.170:27085  

PortTranslated Destination Address/ 83.x.y.234:512             

I have to add that at the moment there's no route on the firewall to the 83.x.y.0/24 network (because it's just a DIP pool).

It seems that I have to allow an incoming NAT on DIP.

I tried to enable it on the DIP tab under the interface settings, and then I wrote a policy with the DIP pool as a destination address, but ScreenOS responded that this function worked for VoIP traffic only.

Any help would be greatly appreciated!

Thanks for your time, and best regards.

Let me make sure I understand your requirement.

Users creating outbound NAT sessions are working.

However, some users have a bi-directional NAT requirement:  where they are going to initiate outbound sessions, and there will be inbound sessions intiated to them. If so, for this bi-directional NAT requirement, then you can use a MIP configuration. Take some of the addresses out of the DIP pool and use them to configure a MIP. When you create the inbound policy with the MIP, the outbound connections will automatically use that same IP too.  For more information on creating a MIP, refer to
KB10923 - MIP - Definition, configuration of MIP to an IP or a subnet, and troubleshooting tips

If you don't need the bi-directional requirement, i.e. those inbound sessions are only going to be inbound, you can configure policy NAT-Dst.  For more information, refer to the C&E guide:
ScreenOS Concepts & Examples Reference Guide - Address Translation
Example: NAT-Dst with Port Mapping on page 46

Let us know how that goes.

--Josine

Hello,

yes, it's all correct: user outbound connection are working.

The requirement is bi-directional; my problem is, I do not know which user may need the bidirectional service: I have to enable it for every one of them.

I cannot use MIPs, because I haven't got enough public IPs for every user on the "trusted" interface.

I thought that using a DIP without port translation could have allowed inbound connections too; is there any other option..like some sort of "MIP pool"?

Thanks again.

If you want a client to use the *same* address for both outgoing sessions and incoming sessions, then a MIP is the answer.

If it's ok that a different IP address is used for the incoming sessions, then you can use the policy NAT-Dst method. Policy NAT-DST also allows for a pool. However, you need to know what to map it to. Can you elaborate further on the application?

--Josine

Hello,

first of all, thanks for the help so far.

Well, the application is simple: the firewall provides internet connectivity to some hundreds customers, located in a MAN with private addressing: that is, when the customers authenticate via PPPoE, they are given a private IP address (172.27.0.0/16).

A policy manages the traffic from the MAN to the internet: a DIP pool provides a public address to every customer (without port translation).

The problem is, a number of applications (like p2p) require the end user PC to be reachable from the internet to work properly.

A Nat-dst wouldn't work, because each customer would have 2 different addresses (one outgoing, from the DIP pool, and one incoming, from the NAT-dst).

So probably the only way is to tighten the DHCP range (not a /16 class like 172.27.0.0/16, but another with a narrower subnet mask), and to make a MIP for each of those addresses; that's plain horrible, in my opinion, and I'm a bit disappointed that a brand new SSG cannot manage what a crappy year-old PIX did.

I wonder about what using DIP-pool without port translation is good for: just to preserve the source port for outgoing connections?

Thanks for you help and your time.

Regards 

>> So probably the only way is to tighten the DHCP range (not a /16 class like 172.27.0.0/16, but another with a narrower subnet mask), and to make a MIP for each of those addresses

Agreed. 

>> I wonder about what using DIP-pool without port translation is good for: just to preserve the source the source port for outgoing connections?

Yes, you are correct, customers configure DIP pools to preserve the source port for some applications.   The applications require it.

Typically we see that DIP pools are configured with port address translation.  

Let us know how it goes.

--Josine

Hello again,

the MIP option works flawlessly, but I was thinking to another setup:

- a DIP from the 172.27.0.0/16 to the Internet (83.137.x.y) 

- a NAT-Dst from the internet to the 172.27.0.0/16, if ScreenOS preserves the same binding between public and private address.

Asap I'll give it a try on a mini lab; in your opinion, could it work?

Thanks again for your time and your insight.

If you're doing Source Address Shifting, that should work. 

Concepts & Examples ScreenOS Reference Guide - Volume 8 - Address Translation

Chapter 2
NAT-Src from a DIP Pool with Address Shifting  

However, this basically is accomplishing the same thing as a MIP.  My understanding was that you didn't have enough IPs to do the one-to-one mapping of the entire /16 subnet.

What's your reservation with doing the MIP option?

--Josine